Booking.com Users: New Targets in Ongoing Phishing Campaign
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
Booking.com continues to be on the radar of threat actors. Earlier this month , researchers at Perception Point found unknown hackers using multi-step social engineering techniques to target hotels and travel agencies registered with the site.
This week, Perception Point again revealed a new large-scale phishing campaign targeting the website users (hotel guests). Hackers were observed deploying a four-step information stealing campaign to gain unauthorized access to hotel systems; subsequently accessing guests’ booking information to launch phishing attacks.
On gaining control of the official Booking.com account, the hackers were observed accessing various personal information of customers, used to create reservations on the website.
Harvested data like full names, booking dates, hotel details, and partial payment methods were then used to craft personalized messages. By creating a sense of urgency, targeted victims were informed to provide their credit card details within 24 hours to avoid booking cancellation. This step was conducted again as a ‘verification test’ by the threat actors.
The final fruition involved redirecting the targets to a seemingly legitimate Booking.com phishing page. The page was pre-filled with the target’s personal information, used for booking. ‘’The URL, designed to further deceive, follows the pattern: ‘booking.id(numbers).com’ or ‘booking.reserve-visit.com,’’ Perception Point explained. Once on the page, the targets were asked to re-enter their bank and credit card details. Unbeknownst to them, that they were becoming potential targets for financial frauds.
By using this approach and mimicking Booking.com, cybercriminals found a novel approach to gather victims’ information and commit financial frauds.
The cyber intelligence company disclosed that this campaign has had a far-reaching effect, with the inclusion of many hotels and resorts worldwide. ‘’The financial implications are severe, but the breach of trust and the potential misuse of personal data could have even more far-reaching consequences,’’ the researchers revealed .
To avoid falling victim to the fraud, it’s essential that users scrutinize URLs before clicking on them. Always be wary of emails and messages requesting immediate actions, contact service providers through official channels when in doubt, share knowledge about various cyber threats with friends and the community at large, and always monitor their bank and credit card accounts for unauthorized transactions.
ZenRAT: Novel Malware Distributed Via Fake Bitwarden Installers
- Written by Shipra Sanganeria Cybersecurity & Tech Writer
A new remote access trojan (RAT), ZenRAT, was found to be concealed within fake installation packages of the password manager, Bitwarden.
Primarily targeting Windows users, this information stealing malware was hosted on a fake website impersonating Bitwarden, researchers at Proofpoint revealed . Although, the mode of distribution was not confirmed. Based on similar past instances, it’s believed that victims were directed to the dubious domains via phishing emails, SEO Poisoning, and adware bundles.
The seemingly legitimate website selectively displays the fake Bitwarden download to Windows users, while non-Window users are redirected to a cloned opensource.com article on ‘How to Manage Your Passwords with Bitwarden, a LastPass Alternative.’’
Moreover, Windows users clicking on Linux or MacOS download links are redirected to the legitimate Bitwarden site.
The counterfeit installer was first reported on VirusTotal in July 2023, under a different name. Claiming to be ‘’Piriform’s Speccy,’’ a gathering system software application, the installer also pretended to have the digital signature of Tim Kosse, an open-source software developer known for the Filezilla FTP/SFTP software.
ZenRAT, posing as an ApplicationRuntimeMonitor.exe, upon execution uses WMI queries and other system tools to gather information about the system. It gathers data like, IP address, CPU, GPU, and RAM details, OS version, installed applications and antivirus software.
Subsequently, these details along with browser credentials/data are transferred to its command and control (C2) server using a unique C2 protocol.
ZenRAT is configured to support different Command IDs, used for transmitting its logs in plaintext to the C2 server. These logs disclose various checks performed by the malware, including mutex creation, anti-virtualization, system, and geo-restriction checks. The investigation further revealed that the malware was designed to be a ‘’modular, extendable implant.’’
To mitigate such threats, Proofpoint researchers advise users to be careful of software application ads that appear in search engine results. ‘’End users should be mindful of only downloading software directly from the trusted source, and always check the domains hosting software downloads against domains belonging to the official website.‘’
